http://matasanochargen.disqus.com/enSat, 23 Sep 2006 16:20:45 -0000http://www.matasano.com/log/510/zert-zero-day-emergency-response-team/#comment-2320647shameless but hopefully still acceptable plug. The ability to create and deploy 3rd party 'patches' using freely available software has been around for quite a while here <a href="http://force.coresecurity.com" rel="nofollow">http://force.coresecurity.com</a><br>(a free, still in beta, highly granular and configurable HIPS/HFW tool with an Apache2/CreativeCommons license)<br>Basically, you can define permissions for applications and you share those permissions on an XML file posted on a website, other users can review and download those settings and use whatever permissions you've set to avoid exploitation of vulnerable programs on their systems. For example, denying execution of vgx.dll, dcactle.ocx, etc. is as simple as setting -RX permissions to the file using a GUI)<br><br>Similar things exist for Linux (ie AppArmor) but I dont know if there are any mechanims to share configuration settings among users. Allegedly, this kind of third party solution may not be as important for open source project because fixes come out faster and you can actually find out what was fixed more easily without the need of the highly skilled and generous reverse engineers of the ZERT. Unfortunately some closed-sourced big software vendors tend to think that they are the only ones that can provide effective countermeasures to the bugs they produce in their software. This is, by itself, a demonstration of arrogance and an underlying mentality used to customer lock-in tactics. If third party patches come out faster and more transparently than official fixes the affected users will have more options and some opinions about disclosure of bugs and their fixes may change.ivanSat, 23 Sep 2006 16:20:45 -0000